HIPAA compliance requires a combination of written policies, technical safeguards, staff training, and ongoing risk management that together protect patient health information from unauthorized access or disclosure. There is no single certification or checklist that makes you “HIPAA compliant.” Instead, compliance is an ongoing process built around identifying risks to the health data you handle and putting protections in place to address them.
Who Needs to Comply
HIPAA applies to two categories of organizations. The first is covered entities: health care providers (doctors, clinics, dentists, psychologists, chiropractors, nursing homes, pharmacies), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid), and health care clearinghouses that process health data into standardized formats. Health care providers fall under HIPAA only if they transmit health information electronically in connection with standard transactions like billing or insurance claims, which in practice covers nearly all providers today.
The second category is business associates: any outside company or contractor that handles protected health information on behalf of a covered entity. This includes IT service providers, billing companies, cloud storage vendors, shredding services, consultants, and attorneys who access patient data. Business associates are directly liable for complying with HIPAA’s security and privacy requirements, not just contractually bound to follow them.
What Counts as Protected Health Information
Protected health information (PHI) is any individually identifiable health data, whether stored electronically, on paper, or communicated verbally. HIPAA defines 18 specific identifiers that, when linked to health information, make data protected. These include names, addresses more specific than state level, dates related to an individual (birth date, admission date, discharge date), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, IP addresses, biometric data like fingerprints, and full-face photographs.
Even a ZIP code can qualify. ZIP codes must be removed or generalized unless the three-digit ZIP prefix covers a population of more than 20,000 people. Ages over 89 must also be grouped into a single “90 or older” category. If your organization touches any combination of health data and these identifiers, you are handling PHI and must protect it accordingly.
Start With a Risk Analysis
The single most important step in HIPAA compliance is conducting a thorough security risk analysis. HHS requires this, and the absence of a documented risk analysis is one of the most common findings in enforcement actions. There is no mandated method for performing one, but HHS guidance outlines elements every risk analysis must include.
First, define the scope: identify every place your organization creates, receives, stores, or transmits electronic PHI. This means inventorying systems, devices, applications, and even paper records that feed into electronic systems. Next, document potential threats (hackers, employee errors, natural disasters, device theft) and vulnerabilities (unpatched software, lack of encryption, no access controls). Then assess what security measures you already have in place and whether they are configured and used properly.
For each threat-vulnerability combination, estimate how likely it is to occur and what the potential impact would be if it did. The output should be a documented risk level for each scenario and a prioritized list of corrective actions. This is not a one-time exercise. You need to revisit and update your risk analysis whenever your environment changes, whether you adopt new technology, move offices, or experience a security incident.
Administrative Safeguards
Administrative safeguards are the policies, procedures, and human-side controls that form the backbone of your compliance program. Several are required rather than optional.
- Security management process: Beyond the risk analysis itself, you need a formal risk management plan, a sanction policy for employees who violate your rules, and a regular review of system activity logs.
- Assigned security responsibility: Designate a specific person as your security officer. In a small practice, this can be someone wearing multiple hats, but the role must be formally assigned and documented.
- Workforce training: Every employee who has access to PHI needs security awareness training. This should cover password management, recognizing phishing attempts, proper handling of patient data, and what to do if they suspect a breach. Periodic security reminders are also expected.
- Access management: Establish procedures for granting, modifying, and revoking access to PHI. When an employee leaves or changes roles, their access should be adjusted immediately.
- Contingency planning: You need a data backup plan, a disaster recovery plan, and an emergency mode operations plan so you can continue protecting and accessing PHI during a crisis.
- Business associate agreements: Every vendor, contractor, or subcontractor that accesses PHI must sign a written agreement before they touch any data.
Physical Safeguards
Physical safeguards control who can physically access the spaces and devices where PHI lives. This includes facility access controls like locked server rooms, badge access systems, visitor logs, and security cameras. You need documented policies for workstation use that specify where and how employees can access PHI (for instance, whether laptops can leave the office and under what conditions).
Device and media controls matter more than many organizations realize. When you dispose of a hard drive, USB drive, or even a copier with internal storage, you must ensure the PHI on it is properly destroyed. If you reuse media, it must be wiped before reassignment. Keep records of hardware movements and disposals.
Technical Safeguards
Technical safeguards are the technology-based protections built into your systems. Every user who accesses electronic PHI must have a unique login. No shared accounts. Implement automatic logoff on workstations after a period of inactivity so an unattended screen does not expose patient data.
Encryption is listed as “addressable” rather than strictly required, which does not mean optional. It means that if you decide not to encrypt PHI at rest or in transit, you must document why and implement an equivalent alternative measure. In practice, encryption is the standard expectation. Encrypt data on laptops, mobile devices, and portable media. Use encrypted connections (like TLS) when transmitting PHI over networks or email.
Audit controls are required: your systems must be able to record and examine who accessed what data and when. Integrity controls ensure that PHI has not been improperly altered or destroyed. Person or entity authentication means verifying that the person requesting access is who they claim to be, through passwords, tokens, biometrics, or multi-factor authentication.
Privacy Rule Essentials
The Privacy Rule governs how PHI is used and disclosed. The core principle is “minimum necessary”: when using or sharing PHI, limit it to the minimum amount needed to accomplish the purpose. If a billing department needs a patient’s diagnosis code and insurance ID, they should not have access to the full clinical record.
Patients have specific rights under the Privacy Rule. They can request copies of their health records, ask for corrections, and receive an accounting of certain disclosures. Denying or delaying patient access to their own records is one of the top enforcement issues that HHS tracks. You need written policies covering how your organization handles these requests and a designated privacy officer responsible for overseeing compliance.
You must also provide patients with a Notice of Privacy Practices explaining how their information may be used, their rights, and your legal duties.
Business Associate Agreements
If any outside party accesses, stores, or processes PHI on your behalf, you need a written business associate agreement (BAA) in place before sharing data. HHS specifies ten provisions these agreements must contain. The agreement must spell out exactly what the business associate is permitted to do with PHI and prohibit any other use. It must require the associate to implement appropriate safeguards, report any unauthorized disclosures or breaches, make PHI available to patients who request it, and open its records to HHS for compliance reviews.
At the end of the contract, the business associate must return or destroy all PHI. If the associate hires subcontractors who will access PHI, those subcontractors must agree to the same restrictions. The agreement must also give you the right to terminate the contract if the associate violates its terms. Failing to have BAAs in place is a common and easily avoidable compliance gap.
Breach Notification Requirements
If a breach of unsecured PHI occurs, HIPAA imposes strict notification timelines. You must notify every affected individual in writing no later than 60 days after discovering the breach. If the breach affects 500 or more residents of a single state or jurisdiction, you must also notify prominent local media outlets within the same 60-day window. HHS must be notified within 60 days as well for breaches affecting 500 or more people.
Smaller breaches affecting fewer than 500 individuals still require notification to HHS, but you can report these annually, due within 60 days after the end of the calendar year in which they were discovered. Keeping a log of all security incidents, no matter how small, helps you meet this annual reporting obligation and demonstrates good faith during any enforcement review.
Documentation and Retention
HIPAA requires you to retain all compliance-related documentation for a minimum of six years from the date of creation or the date the document was last in effect, whichever is later. This includes your policies and procedures, risk analyses, training records, BAAs, incident logs, and any corrective action plans. If you update a policy, keep both the old version and the new one. Auditors and investigators will want to see not just your current practices, but your compliance history over time.
Common Enforcement Issues to Avoid
HHS enforcement data reveals consistent patterns in what triggers complaints and penalties. The most frequently alleged violations, in order, are: impermissible uses and disclosures of PHI, lack of safeguards, failure to provide patients access to their records, lack of administrative safeguards for electronic PHI, and sharing more information than the minimum necessary. The most commonly investigated entity types are general hospitals, private practices, pharmacies, group health plans, and outpatient facilities.
Many of these issues stem from the same root causes: no documented risk analysis, outdated or missing policies, insufficient staff training, and failure to encrypt portable devices. A stolen, unencrypted laptop containing patient data has been the catalyst for some of the largest HIPAA settlements. These are preventable problems that cost far more to remedy after an enforcement action than to address proactively.